The Predictability Factor is a weekly deep dive at the intersection of AI, Security, Privacy and Tech, to help you Go From Chaos to Resilience in The World of AI.
March 16, 2026, Jensen Huang walked onto the stage in San Jose to give his keynote saying how every company needs their “OpenClaw strategy”. One of the most notable moments from his keynote wasn't OpenClaw but OpenShell.
The Problem
OpenClaw, built by one Austrian developer Peter Steinberger, valued at billion of dollars is one of the fastest-growing repositories in GitHub history. Even more interesting isn’t just what he built, but what happened after it went viral. By mid-February, OpenAI hired Steinberger and took the project in-house as an open-source platform. On March 16, Jensen Huang stood on a stage in San Jose calling it the operating system for personal AI and comparing its arrival to Linux, Kubernetes, and HTML.
That comparison is not just marketing. It is a category declaration.
OpenClaw opened the next frontier of AI to everyone and became the fastest-growing open source project in history. Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI.
But, as you know, OpenClaw has had immediate security implications for every enterprise in the room.
OpenClaw is an autonomous agent with real-system access that takes actions, not just answers. It organises files. It writes and executes code. It browses the web. It completes multi-step tasks without routing data through the cloud, running instead on local hardware, with access to your systems, your files, and your workflows.
While it’s autonomous, it’s also a living and active security and privacy nightmare.
No external guardrails. No deterministic controls by default. Most people have installed OpenClaw on their laptops connected it to their enterprise infrastructure, given it real-system access not just to personal stuff but to their enterprise network, because there’s no security configuration at the network level blocking it or sandboxing it or securing it in any form, and your laptop happens to be connected to the enterprise network.
Just an agent with access to both the operating on your machine and integrated to your company infrastructure.
That power is also the problem.
There are hundreds and thousands of publicly exposed OpenClaw instances on the Internet.
OpenClaw's original architecture has well-documented vulnerabilities: prompt injection (true for all LLMs), unconstrained file access, root permissions, and the ability to compromise a device remotely (as most instances have been connected to a reverse proxy exposing your localhost through the Internet). Most of these flaws were found and reported within days of launch. Yet, 50000+ instances are still exposed.
The same openness that makes it viral makes it dangerous at an enterprise scale. We don't just need AI that acts, we need one that can do things reliably, safely, securely, ethically and verifiably.
NVIDIA Building Security and Privacy in Agentic AI
Nvidia's response arrived at GTC on March 16. NemoClaw is a stack that installs onto OpenClaw in a single command. But the bigger news isn’t NemoClaw.
It’s OpenShell.
OpenShell is an open-source runtime that sits between your AI agent and your infrastructure. It does not modify how the model thinks or what it generates. It governs what the agent can do, what it can see, and where its data can go, enforcing those constraints at the infrastructure layer rather than the application layer.
I said it earlier, prompting is not equal to security or guardrails. We need deterministic controls both at the infrastructure layer and across the entire AgenticAI’s workflow chain.
What do I mean by that?
More security breaches will happen because of infiltration and compromise across the supply-chain of an AI agent workflow. Think about it like this: you have an AI agent, now it's upgraded but during the upgrade it installs multiple packages, it pulls in different resources and when any part of that is compromised, you bring all those vulnerabilities in with you and the compromised package with you into an agent and an environment that you trust. While you trust it, it’s already compromised. It’s like the SolarWinds attack but for AI agents and their supply chain.
In your mind that trust equation doesn't change, while your supply chain has been already been compromised.
That distinction matters. The previous approach to agent security was essentially asking the agent to police itself, trusting the model's own code to decide what it could and could not access. That's not security. That's a wish list.
OpenShell's architectural thesis is that this approach is fundamentally broken. An agent should not be responsible for its own security. The infrastructure should enforce it regardless of what the agent does, or what someone injects into it.
At its core is OpenShell, a runtime that adds kernel-level sandboxing, a privacy router that monitors agent communication with external systems, and policy-based guardrails that define what the agent can and cannot touch. NemoClaw also installs Nvidia's Nemotron open models locally, and allows agents to reach cloud-based frontier models when needed while keeping those guardrails intact.
It does this through four mechanisms working together:
Sandbox Containment
The agent runs in a kernel-level isolated environment. The code it generates, whether Python scripts, shell commands, or tool calls, executes inside a restricted space. It cannot reach outside its permitted boundary. If the sandbox breaks, the host system is designed to remain untouched.
Deny-by-default Permissions
The agent starts with zero access. It only gets access to what policy explicitly grants, and nothing more. Every binary it can invoke, every network endpoint it can reach, every file path it can write to, is defined in a YAML policy file. YAML was a deliberate choice: compliance officers and auditors can read and verify what an agent is permitted to do without parsing code. Those policies live in version control, travel through your existing review and deployment pipelines. Network policies can be updated live without restarting the agent. Filesystem and process policies are set at sandbox creation.
Per-endpoint Network Policy
Tool calls are filtered against an approved list. Unverified binaries cannot execute. Package downloads from unapproved registries are blocked by network policy. A development team can permit a sandbox to connect to one specific cloud API while blocking every other network destination. Policy is surgical, not broad.
Privacy Router
Sensitive data stays local. The privacy router controls where inference traffic goes and manages credential injection. When agents need frontier model capability, the privacy router decides what leaves the device and in what form. Data that must not cross the organisational perimeter does not cross it.
OpenShell provides the missing infrastructure layer beneath agents to give them the access they need to be productive, while enforcing policy-based security, network, and privacy guardrails. Cisco, CrowdStrike, Google, and Microsoft Security have all announced integration work to embed OpenShell compatibility into their security toolchains, which would bring those guardrails into the broader enterprise security stack.
Nvidia worked with Cisco, CrowdStrike, Google, and Microsoft Security to bring OpenShell compatibility into their respective security toolchains. The underlying hardware is agnostic. OpenShell is fully open source.
ICYMI:
When Critical Systems Hallucinate
🤯 Your Vibe-Coded Org Got Breached, 7 Million Bedrooms Turned into Training Data, Anthropic is Going to Court and AI Ethics. Read full story —>
Where AI Security is Lagging
Both NemoClaw and OpenShell are great for scenarios that have following fundamental security assumptions:
The security issues occur only at runtime, not pre/post deployment
If the AI agent is allowed to run or carry out the actions, then it must be acceptable and trusted output
The model, the skills, and the supply chain are trustworthy before the sandbox starts
We still need to solve three key problems that I see organisations face day-in and day-out:
Validation of the supply chain
OpenShell's policy engine can block an unreviewed binary from executing. It cannot verify the integrity of a skill that passed the verification check but was poisoned in the supply chain before it arrived. Injecting 250 poisoned documents into training data is enough to implant a backdoor that activates under specific trigger phrases while leaving general model performance unchanged. The model loads. OpenShell sees a permitted agent. The backdoor is already inside.
Explainability and Verifiability
OpenShell enforces what the agent can do based on your rules-based policy. It has no mechanism to evaluate whether what the agent produced was accurate, ethical, reliable or aligned with organisational intent. An agent making a credit risk assessment, drafting an M&A briefing, deciding whether an audit report is qualified or not, or recommending a supplier can operate entirely within policy and still produce a confidently wrong output. There is no output validation layer in OpenShell.
Governance and Control
Without validation of data, validation of supply chain, logging reasoning traces, verifying whether the AI accessed only trustworthy resources before the fact and that it behaved correctly and as expected after the fact, there will still be lack of overall governance, monitoring and accountability. OpenShell governs a session at runtime. Anything outside it is still breachable, unverified, unvalidated, ungoverned, and outside OpenShell's visibility. Those layers still need to be governed and controlled across the environment, not just in a runtime session.
OpenShell doesn't solve those problems because it doesn't intend to solve it, which is fine. On its own, OpenShell is necessary. It's absolutely the right step in the right direction. It's just not the end all and be all of AI security and privacy.
NemoClaw makes OpenClaw more usable from an infrastructure standpoint. It adds the security layer the original platform was missing. What it does not solve: governance across systems, consistency of behaviour when the agent operates autonomously over time, and the accountability chain when an agent takes an action that causes real-world damage.
That last problem is not Nvidia's to solve. It is yours.
The moment you deploy an autonomous agent inside your enterprise perimeter, you have created a non-human identity with real-world permissions. It does not sleep. It does not question its instructions. It learns new skills to complete tasks and operates around the clock.
Given the common challenge with prompt injections and data poisoning, it will be imperative for the organisations to measure and verify how an agent came to the output it did, the actions it took and the “intention” (aka the reasoning chain) behind those actions.
Huang put a direct challenge to the room at GTC 2026: "For the CEOs, the question is, what's your OpenClaw strategy? We need it now."
He is right. But your OpenClaw strategy is not just an infrastructure question. It is a governance question that is implemented from development to deployment to runtime and after the fact. The agent is here. The guardrails are improving. The accountability is still entirely yours.
While this level of sandboxing makes the agentic AI behaviour more predictable and controllable, I see most organisations still struggling with the first principles and with the basic security, reliability and verifiability hygiene such as:
Traditional infrastructure security around their AI
Getting their AI to complete a workflow reliably without hallucinations
Understanding what defines a “successful execution”, measuring and evaluating that success
Trust in your infrastructure is not the same as trust in your code, your AI’s actions, your model or your data. Securing the infrastructure is a critical first step. You still need to think about explainability (think reasoning trace capture, not just showing steps but logging what shaped the decision), verifiability (think of verification at all levels: infra, actions, supply-chain and output), auditability (think logs through actions and decision making) and accountability (especially think non-human identities, their output and consequences).
Until next time, this is Monica, signing off!
— Monica Verma
P.S. Please follow me/subscribe on Youtube, Linkedin, Spotify and Apple. It truly helps. Or book a 1-1 advisory call, if I can help you.
***
